[maqp]

"These days RSA is only used in digital signatures (which are not encryption)"

AFAIK digital signatures are created by encrypting the hash of the plaintext (be it content ofthe certificate or a message or whatnot). But yeah, RSA isn't really used for key exchanges due to it lacking forward secrecy. There are exceptions to this unfortunately, such as Apple's iMessage which is decades behind in cryptographic innovation.

[wolf550e]

Please don't repeat terrible 90s pedagogy about RSA. Even in RSA, the padding for signatures and for encryption is different (for very important reasons). The fact that RSA encryption and RSA signatures share code (but are not identical) is just a quirk of RSA that instead of making the thing simpler to explain made it harder to explain well - people think this generalizes and try to understand where is the encryption in Ed25519 or whatever and are very confused.

If you want to point out the difference between "public key operation" (encrypt, verify) and "private key operation" (decrypt, sign), use those terms. That makes sense and the distinction is important.

People end up with basically misinformation in their heads and other people on stackoverflow (and IRL) spend lots of time trying to sort them out. You just made the problem a little worse. Please don't do that.

Here is an actual cryptographer explaining: https://security.stackexchange.com/a/87373/70830